Upgrade to 2.36.7 for Focal and Jammy

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

When trying to post a debdiff, I get a timeout or a server error (see bug #1973814). Therefore, I am posting the Debian packaging tarball and the .dsc file.

The attachment "wpewebkit_2.36.1-1ubuntu0.20.04.1.debian.tar.xz" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Uploading a debdiff for Impish is taking too long. Therefore, I am also posting the Debian packaging tarball and the .dsc file.

The version in Jammy is not vulnerable, but a backport to Jammy is needed to ensure that upgrading to Jammy works.

I am now building version 2.36.3 (released today), with several bug fixes compared to 2.36.1. Source packages will be available in my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates) tomorrow.

Due to a out-of-memory issue when building the package in Jammy, I needed to increase swap and retry the build. I uploaded the Jammy source package just now.

Patched source packages are available in my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates).

The upstream project issued a security advisory today: https://wpewebkit.org/security/WSA-2022-0005.html. The changelog in the patched packages was updated just now.

These patched packages are currently building in my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates), as of 08:48 UTC.

Hi Luís,

As my colleague mentioned to you previously, except for a few exceptions, such as ffmpeg, we generally don't accept new upstream maintenance releases into the security sponsoring process.

As you can see on bug #1973814, the diff between the versions you want to upgrade are too big and introduce too many new changes that could cause regressions and other issues.

If you really want to introduce new upstream microreleases, you can perhaps try getting them sponsored as Stable Release Updates:

https://wiki.ubuntu.com/StableReleaseUpdates

Otherwise, please send debdiffs only containing the security fixes.

I have just transformed this bug into an Stable Release Update bug.

wpewebkit is basically the same source code as the webkit2gtk package. Since we do allow full version upgrades to webkit2gtk as security updates, it makes sense to allow them for wpewebkit also.

That being said, what's the plan to test these updates? Nothing much in the archive seems to depend on them, so the only reason we would maintain them is for third party packages. Do we have an idea what third party packages would link to the wpewebkit package in Ubuntu, if they are compatible with 2.36.3, and how we would go about testing them?

We can use cog for testing that the CVEs are fixed, if necessary. Due to the exception in comment #18, I believe that this bug can go through the security sponsoring process.

The snap https://snapcraft.io/wpe-webkit-mir-kiosk has been installed/used recently by a substantial number of users (according to the "Where people are using" map) and uses an outdated version of WPE WebKit (2.30.5), but still later than the version currently in 20.04: https://gitlab.com/glancr/wpe-webkit-snap/-/blob/main/snap/snapcraft.yaml#L167

Please publish patched packages immediately.

I have sent an email to the upstream mailing list (webkit-wpe) asking if anyone is using the WPE WebKit packages in Ubuntu in production: https://lists.webkit.org/pipermail/webkit-wpe/2022-June/000520.html

The upstream project recommends updating the versions of WPE WebKit, especially when they include fixes for known security issues: https://lists.webkit.org/pipermail/webkit-wpe/2022-June/000522.html

Version 2.36.4 was released today.

Patched packages are building in my PPA: https://launchpad.net/~luis220413/+archive/ubuntu/security-updates.

These packages also address all Lintian errors and warnings that can be addressed, except those in the version or in the changes file (PPA uploads must go into the release pocket, but the changelog mentions the security pocket to match security uploads).

Given the first paragraph of comment #18, I just converted this bug back into a security update.

Just adding some notes about this request:

1. 200MB debdiff, really hard to verify/validate/test. We need to think on a good way to guarantee that we are not introducing issues.

2. On Luis' PPA the package fails to build in some architectures. Luis is going to trigger another build and see if it passes. If it fails and continues to not include logs on why it fails, I will ask Launchpad team to investigate what's happening.

Impish will reach end-of-life tomorrow.

As I mentioned in the #ubuntu-security channel, to guarantee that we are not introducing issues, in addition to testing the package, only consider the changes in the Debian packaging tarball (ignoring the upstream changes).

The patched source packages build successfully on all architectures.

my colleague Spyros will be taking a look if he can bring kinetic's version to Jammy and Focal.

Hello Luis,

Thanks for your time and for helping with the security of Ubuntu!

So the wpe-webkit-mir-kiosk snap is actually vendoring libwpe, wpewebkit and wpebackend-fdo directly from upstream so it's not using the debs in the archive. I saw you opened a PR for them as well to update the versions used.

I built my own updates for focal and jammy and also tried yours from your ppa but I am having some trouble while testing to check for regressions. i.e I can't get cog to run without crashing in any configuration.

So since we don't have any indication that this package is widely used and since I cannot consistently test it for regressions, I am hesitating to push an update for it and it's sitting at a low priority at the moment.

Could you please share how did you test the packages you provided in case I am missing something?

WPE WebKit 2.36.6 was released today and I will package it next week (August 8-14).

There are 3 snaps that contain WPE WebKit:
* https://snapcraft.io/wpe-webkit-mir-kiosk-with-delay
* https://snapcraft.io/wpe-webkit-mir-kiosk
* https://snapcraft.io/wpe-webkit-libs

Please give details on how you are testing these updates. We will not be sponsoring packages that haven't been tested, and that we are unable to test ourselves.

Test plan:

1. Add my PPA (https://launchpad.net/~luis220413/+archive/ubuntu/security-updates/) to a test system running Ubuntu 20.04 or 22.04 (both releases must be tested).
2. Install cog with "sudo apt install cog"
3. Run cog -P x11 https://ubuntu.com/
4. Run cog -P headless https://ubuntu.com/
5. Run the following commands:
$ sudo snap install --classic snapcraft
$ git clone https://gitlab.com/ist199099/wpe-webkit-snap
$ cd wpe-webkit-snap
$ snapcraft

Running cog -P wl https://ubuntu.com/ does not work on my Ubuntu 22.04 VM:

wl_registry@2: error 0: invalid version for global wl_seat (15): have 5, wanted 7

(cog:16279): Cog-WARNING **: 17:47:19.437: Platform setup failed: Could not initialize EGL (0x3001)

Hello Luis, I am following your steps using a fresh focal VM, I login in X and I get:

cog -P x11 https://ubuntu.com

** (cog:4561): WARNING **: 21:06:09.862: Could not load: libcogplatform-x11.so (possible cause: No such file or directory).

wpe: could not load the impl library. Is there any backend installed?: libWPEBackend-default.so: cannot open shared object file: No such file or directory
Aborted (core dumped)

same error with "-P headless". This is for the cog and libwpe that is currently in our archive.

I had also added some comments in https://bugs.launchpad.net/ubuntu/+source/wpewebkit/+bug/1981592/comments/4 with a few more of my attempts. Thanks again for monitoring this.

I can't get cog to work on 20.04:

$ cog -P x11 https://ubuntu.com

** (cog:4346): WARNING **: 14:11:55.892: Could not load: libcogplatform-x11.so (possible cause: Resource temporarily unavailable).

wpe: could not load the impl library. Is there any backend installed?: libWPEBackend-default.so: cannot open shared object file: No such file or directory
Aborted (core dumped)

$ cog -P headless https://ubuntu.com

** (cog:4370): WARNING **: 14:12:05.112: Could not load: libcogplatform-headless.so (possible cause: No such file or directory).

wpe: could not load the impl library. Is there any backend installed?: libWPEBackend-default.so: cannot open shared object file: No such file or directory
Aborted (core dumped)

I have no idea why you are making a snap in the comment above...that has nothing to do with this bug or with the wpewebkit package in the archive...

Luis, you keep updating the description but you haven't replied to comment 36.
Please provide the information requested.